garethnic/eloquent-cipher

Laravel and Ciphersweet integration

Laravel and CipherSweet integration

Foundation provided by:

• Paragonie - CipherSweet
• Paragonie - Eloquent CipherSweeet

Resources:

• CipherSweet Docs
• Building Searchable Encrypted Databases with PHP and SQL
• CipherSweet: Searchable Encryption Doesn't Have to be Bitter
• Blind Index Planning NB: Important

Installation

You can install the package via composer:

composer require garethnic/eloquent-cipher

You can publish and run the migrations with:

php artisan vendor:publish --tag="eloquent-cipher-migrations"
php artisan migrate

You can publish the config file with:

php artisan vendor:publish --tag="eloquent-cipher-config"

This is the contents of the published config file:

return [
    /*
    |--------------------------------------------------------------------------
    | Cryptographic Backend
    |--------------------------------------------------------------------------
    |
    | This controls which cryptographic backend will be used by CipherSweet.
    | Unless you have specific compliance requirements, you should choose
    | "nacl".
    |
    | Supported: "fips", "nacl"
    |
    */

    'backend' => env('CIPHERSWEET_BACKEND', 'nacl'),

    /*
    |--------------------------------------------------------------------------
    | Key Provider
    |--------------------------------------------------------------------------
    |
    | Select which key provider your application will use. The default option
    | is to read a string literal out of .env, but it's also possible to
    | provide the key in a file, use a custom key provider, or use random keys
    | for testing.
    |
    | "string" is selected by default to read a key directly from your .env
    | file. Use `artisan ciphersweet:generate:key` to securely generate that
    | key.
    |
    | Supported: "custom", "file", "random", "string"
    |
    */

    'provider' => env('CIPHERSWEET_PROVIDER', 'string'),

    /*
    |--------------------------------------------------------------------------
    | Key Providers
    |--------------------------------------------------------------------------
    |
    | Set provider-specific options here. "string" will read the key directly
    | from your .env file. "file" will read the contents of the specified file
    | to use as your key. "custom" points to a factory class that returns a
    | provider from its `__invoke` method. Please see the docs for more details.
    |
    */

    'providers' => [
        'custom' => [
            //'via' => \App\CipherSweetKey\CreateKeyProvider::class,
        ],
        'file' => [
            'path' => env('CIPHERSWEET_FILE_PATH'),
        ],
        'string' => [
            'key' => env('CIPHERSWEET_KEY'),
        ],
    ],
];

Usage

php artisan ciphersweet:generate:key

Once the configuration is done, you can begin using encrypted fields in your models.

CipherSweet Trait

<?php
use ParagonIE\CipherSweet\BlindIndex;
use ParagonIE\CipherSweet\EncryptedRow;
use Illuminate\Database\Eloquent\Model;
use ParagonIE\EloquentCipherSweet\CipherSweet;

class Blah extends Model
{
    use CipherSweet;
    
    protected static function configureCipherSweet(EncryptedRow $encryptedRow)
    {
        return $encryptedRow
            ->addTextField('id_number')
            ->addBlindIndex('id_number', new BlindIndex('users_id_number_index_1', [], 7));
    }

    public function getTable()
    {
        return 'users';
    }
}

Where 7 above refers to the filter bits which is very important to get right. Refer to Blind Index Planning.

Testing

composer test

Changelog

Please see CHANGELOG for more information on what has changed recently.

Credits

• Gareth Nicholson

License

The MIT License (MIT). Please see License File for more information.